There are a few simple steps you can take for your organisation to run in the same direction, towards the same goal.
Anders Widahl Madsen has a background in consultancy and shares his recommendations and experiences from Bosco.
OUR DATA SPEAKS CLEARLY: BUSINESS AS USUAL IS HIGH RISK
Despite big investments and resources on CMDB and ITSM systems, the current state of compliance in most businesses is not optimal.
Our data from scanning thousands of servers shows that companies often dispose of a great deal of unknown assets. If they continue to tackle compliance doing “business as usual” best case is that they will be exhausted of resources. Worst case is that they will not achieve compliance.
With the new EU-directive, NIS2, there are no excuses for not being compliant! With NIS2 it’s not simply a matter of keeping trouble at a distance; Solid, low risk assessment efforts must not be spared. Otherwise, there can be personal legal consequences for the top-management responsible.
Following the standards means establishing an overview
ISO, NIST, CIS… all the major standards for Information Security management emphasize how important it is to have a thorough view of your organization’s computing assets, including end-user devices, data, and the systems and technologies that support them.
However, with the proliferation of virtual servers, mobile devices, the Internet of Things, cloud computing, and bring-your-own-device policies, it is challenging to accurately track and manage these assets.
Inaccurate information about your technology assets can hinder your ability to assess their value and the potential cybersecurity risks they pose. To address this issue, it is essential to implement effective asset management practices, such as regularly inventorying and tracking devices and data, implementing security protocols, and investing in technology solutions that automate asset management processes.
By doing so, you can better protect your business and customers’ data and ensure your organization’s success in a digital world.
AUTOMATE WITH BOSCO AND GET A HEAD START
Fasttrack your compliance using Bosco’s intelligent and data driven approach. Using automated discovery, advanced analytics, and our unique algorithms, precious time and a lot of money can be saved. More importantly: Top management can make informed and effective decisions – and continuously improve.
With Bosco all companies can achieve compliance on their assets – and top management can sleep calmly at night.
STEP ONE in your NIS2 or compliance journey
We have laid out the initial steps on your journey to NIS2-compliance:
- Conduct an inventory of the organization’s IT assets (e.g., servers, workstations, network equipment, applications, data)
- Determine the criticality of each asset (e.g., based on its importance to the organization’s operations or the sensitivity of the data it contains)
- Identify the potential threats to each asset (e.g., cyber attacks, natural disasters, hardware failures)
- Estimate the likelihood and potential impact of each threat
- Evaluate the effectiveness of the organization’s current controls in mitigating the risks to each asset
- Select controls to manage the risks to each asset based on the likelihood and impact of the threats and the effectiveness of the current controls. An example could be If an unidentified asset (fx. Zombie server) shows up in the inventory then action must be taken. How could it happen, what are the risk and what can be done to mitigate? Identify the root cause and implement a process to avoid it from happening or monitor more regularly and discover before it becomes an risk?
- Implement the selected controls (e.g., by installing software updates, implementing access controls, conducting security training)
- Test the effectiveness of the controls and make any necessary adjustments
- Manage the risk activities from any tool in the context of the existing risk management framework and risk program (ISO, NIST, CIS etc.).
- Set up clear unified organisational ownership and responsibility to make sure manage identified risk and not stuck between two chairs – and to pass an audit.
- Realising the importance in managing risk across the organisation some companies have begun to strengthen the risk function. Legal-, compliance- and IT- risk capabilities are in to one consolidated Risk organisation.
BUILD A MEAINGFUL AND ACCURATE MODEL
Approach the risk analysis in a bottom-up manner and use an accurate model. Meaningful measurements can be effectively compared. These comparisons can then inform decisions and allow you to make effective choices.
By taking a bottom-up approach to risk analysis, you can be confident that you are making informed and effective decisions.